Information on scanning COBOL code in AppScan Source

Technote (FAQ)

This document applies only to the following language version(s):

Question

How to get more information on scan rules in IBM Security AppScan Source for Security for scanning COBOL source code, and what are some of the potential vulnerabilities in COBOL source code?

Cause

COBOL files (.cbl) can directly be imported into AppScan Source for security scanning.

Answer

How to get more information on scan rules used by AppScan Source for Security to scan COBOL source code?

Scan rules are difficult to be understood since they are written in a mark-up language that only support engineers/developers of AppScan Source can understand. The standard scan rules for Cobol (or any other languages) are not accessible to users as they are stored in the database. It is not meant for users to view.

There are additional scan rule sets that users can add to each application by right-clicking the application in AppScan Source for Security, then going to Properties and then Scan Rules and Rules sets, but there are no additional scan rules that exists for Cobol. Then, there are scan rules that users can create in the same location (i.e., Properties -> Scan Rules and Rules sets). The ones which is viewed by default e.g. Java, ASP.NET, etc. are not the standard scan rules. Those are the additional, optional scan rules that AppScan Source provides. The standard ones are not accessible to users.

What are some of the potential vulnerabilities in COBOL source code?

Some of the potential vulnerabilities that an user face in COBOL includes CALL Setting Manipulation, which is when attackers can control values that govern the behaviour of the system, manage specific resources, or in some way affect the functionality of the application.

Another one is Hardcoded Password in Cobol Comment which is when an user put a password in a comment which an unauthorised user can access. To get a better understanding of what vulnerabilities AppScan Source identifies for Cobol, it would be best for the user to scan a Cobol application with AppScan Source.